CSF question re banned IP addresses.

[Brook]

We have installed CSF (Configserver Security Firewall) on our server (as a cpanel plug-in) and it's been sending me some emails about some banned IP addresses:

Quote:

Banned the following ip addresses on Wed Jun 24 10:03:01 BST 2009

1.2.3.4.5.6(ip) with 230 connections

What does this actually mean? Is it definitely an attack? 230 open connections? Is it the same as hits?

It's banned about 8 IP's and interestingly they come from an education establishment's ISP and another two ISPs that all resolve to the same geographical area! Which is what makes me think this is a calculated attack.

Also the odd thing is, even tho it's banned these IPs - it keeps sending me an email with them saying it's banned them again... are they just temporarily banned?

Thanks in advance!

[Infopro]

You'll have more luck over at the CSF forums for questions like this.
ConfigServer Scripts Forum - Powered by vBulletin Reading the manual is always a good idea too.
http://www.configserver.com/free/csf/readme.txt

You can set it to the number of connection(s) tracking you like, how to block temp or perm, along with lots more. Just needs to be looked at a few hundred times and tweaked as you go for your own system.

If you're in a hurry, open CSF, click Firewall Security level, click high. Then save. Good solid starting point that you can tweak later to your own tastes.

GL

[PlatinumServerM]

The subject and headers of that email should provide more details on why it was banned. You can also check the logs and the csf deny file.

[Brook]

Thanks for the replies. I've looked at the readme file, but it doesn't explain the connections. Also posted on the CSF forum, but no answer.

Anyone here know what these connections actually are?